Google scanning - is it legal?

Mike Barwise

If content is placed on the public web it is almost a foregone conclusion that search engines such as Google will spider and index it. It's also very likely that a link to that content will eventually turn up in someone's search results, and that someone will follow the link and see the content. How could any of this be remotely unlawful? If the content owner intended it to be publicly accessible, not at all. But if the owner of the material exposed it to public access in error, intending it to be private, it could be a whole different kettle of fish.

Under the Computer Misuse Act 1990 as amended by the Police and Justice Act 2006 – CMA) it is an offence to obtain "unauthorised access" to any kind of computer material, including private web content. It is not, however, a strict liability offence: for a conviction to be obtained it must be shown that there was both intent to gain access and knowledge that the access was unauthorised. It follows that finding a single URL by chance that points to unintentionally exposed private material, and even following that link once, thereby gaining access to the material, would not necessarily incur the penalty of the law. Making a habit of so doing might though.

The new Goolag Scan utility from the Cult of the Dead Cow throws an interesting light on this distinction. If exclusively restricted to scanning a user's own domain, use of the tool would be implicitly authorised. Otherwise it probably implies intent to obtain unauthorised access, as its sole purpose is to return lists of links that would normally be difficult to find, and about the existence of which the tool user necessarily had no prior knowledge. The search terms used by the tool, tailored as they are to discover content that would normally be considered to some extent confidential, reinforce the probability of intent. Subsequently following those links would tend to confirm intent still further. Were it to be shown that the content reached by this means was indeed intended by its owner to be private but had been made technically accessible merely by an oversight, it is highly probable that a conviction could be obtained under the CMA. Neither would it in all probability even be strictly necessary for the links obtained by the tool to have been actually followed. The CMA also makes it unlawful to "enable (unauthorised) access to be secured". So provided intent could be demonstrated, the mere obtaining of a URL pointing to an accidentally exposed private resource for which the tool user was not expressly authorised could possibly be an offence of itself, by "enabling" unauthorised access. It must be pointed out that none of this has yet been tested in the Courts, and until that happens it's anybody's guess how CMA will be interpreted in individual cases. Until now, "hardly at all" has been the order of the day: the pre-revision CMA having been avoided like the plague by the Crown Prosecution Service wherever alternatives could be made to stick.

So far so good. But there is an even greyer area of the same law. Goolag Scan is a prime example of the class of "dual-use tools" that has been widely discussed in the context of the revised CMA. Such tools have a legitimate purpose in helping to discover vulnerabilities, but by their very nature they can be abused in the wrong hands. It has become an offence under CMA to create, supply or obtain such a tool "intending it to be used", "believing that it is likely to be used", or "with a view to its being supplied for use" to commit unauthorised access. So there is a possible additional offence here. However, this "supply" clause has attracted much adverse criticism and indeed had to be withdrawn in its original guise and amended before it passed into law. Because of the difficulty of demonstrating "beyond reasonable doubt" matters of belief before the fact as to the possible actions of others, it could turn out to be a minefield, a mare's nest or ultimately even a red herring.